Created attachment 27913 [details] Patch to change "if (s->loglevel >= APLOG_DEBUG)" to APLOG_INFO In order to log attempts to connect with a revoked client certificate, Apache needs to be configured at debug log level. This seems hardly ok for deployment on production servers. Source code shows that: - the log is emited with APLOG_INFO, which is ok; - but this is protected by "if (s->loglevel >= APLOG_DEBUG)"... In ./modules/ssl/ssl_engine_kernel.c @ 1590: if (s->loglevel >= APLOG_DEBUG) { char *cp = X509_NAME_oneline(issuer, NULL, 0); long serial = ASN1_INTEGER_get(sn); ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, "Certificate with serial %ld (0x%lX) " "revoked per CRL from issuer %s", serial, serial, cp); modssl_free(cp); } Patch attached.
Applied in r1165056 to trunk/2.4.x and in r1446637 to 2.2.x. Will be contained in 2.2.24.
2.2.24 is released